(SURFCHROME.COM) - How Incognito is Incognito Mode? When I first heard about the Incognito Window within the Google Chrome browser, I thought it was a brilliant idea. Some even refer to it as Porn Mode. When I told my friend Samarjit Bharadwaj (Sam) who works as a government contractor at a Fortune 500 Company, I could literally hear his eyes rolling in the back of his turban. It was explained that hard drive data is never truly deleted. The data is still there but Windows makes the file invisible and marks the space as available for rewriting. Furthermore, for those familiar with forensics, usually data recovery is as simple as finding the location of the deleted files, highlighting the hidden files you want to recover, then pressing a button. Yes, it's that simple. If you wanted to make data truly unrecoverable, the Department of Defense (DOD) standard is overwriting the data with a minimum of 7 passes. To be sure, Sam suggested throwing the hard disk drive at one of those electromagnets they use at junk yards then melting it in a crematorium furnace for several hours.
I had a challenge for Sam and rushed over to his house to test Incognito Mode. I wanted him to surf the web in Google Chrome via an Incognito Window then attempt tracing his activities via any file recovery methods. As an engineer, Sam was more accustomed to visiting schematics and mathematical probabilities but I pointed him over to a celebrity picture site. Sam seemed to have growing interest in pursuing this little experiment as he viewed thumbnails and clicked through various paparazzi photographs of Lidsay Lohan, Natalie Portman and Megan Fox among others. I literally had to restrain him from further browsing since I think we had enough data in browsing history, cache and cookies. After closing the Incognito Window, we are led to believe by Google that all traces of cache, history and cookies are unrecoverable.
While Sam's work software is proprietary and probably classified, he did suggest a good program that performs equally well called PC Inspector File Recovery. The results were truly startling and unexpected. There was no trace of cached images, history nor cookies. The forensics program could only find one deleted file from the cache directory dated two days previously on Sept 2,2008. There were no deleted files for the date of testing on Sep 5, 2008. The data was hidden even better than Osama bin Laden.
Sam made the conclusion that Incognito Mode might use one technique that circumvents data recovery software. If a program writes to Random Access Memory (RAM), then the data is never written to the hard drive (virtual memory) and therefore never has to be deleted. So thanks to the dropping prices of RAM chips, a portion of the 2GB standard could easily be allocated to Google Chrome. Sam wanted privacy as he prepared his shrimp masala with jasmine rice so I had to excuse myself. Personally, I think he wanted more time to surf privately in Incognito Mode.
Source http//
Sam made the conclusion that Incognito Mode might use one technique that circumvents data recovery software. If a program writes to Random Access Memory (RAM), then the data is never written to the hard drive (virtual memory) and therefore never has to be deleted.
Looks like Sam has never heard of page files. Or hibernation files. 😯
If a program writes to Random Access Memory (RAM), then the data is never written to the hard drive (virtual memory) and therefore never has to be deleted.
/me checks watch to see how long it takes Harlan to to mention live analysis… D
This will make for some interesting testing.
Did an experimentation of on a machine in my lab, searched for an unique image in google that wouldnt have appeared in the laptop before in an incognito window. closed the window.
After closing the window I did a full grep search for the hex from the image (which I got by finding the image on another computer and wrote down its hex)
Full search 0 instances of the unique picture, but as laid out in previous posts if i had hibernated the computer and a hibernation file was created this may have been a different story
It may be a long shot but perhaps Google would like to send someone along to the next big forensics conference. Alsways interesting to get it from the horses mouth.
Thanks to those doing early testing,
you can keey data in non-paged memory - like PGP does. -> no swapfile.
Since I have so much free time I thought I would play with Incognito.
Some quick findings. When I first launch Chrome it starts two instances of chrome.exe. When I launch a new incognito window it creates a new third instance of chrome.exe. Each new window of incognito starts a new instance of chrome.exe which seems to start with 9376 K (based on setting the preferences to use Blank as the start page). However the first instance (based on PID) of chrome.exe gets exponentially larger with each new tab that is opened in incognito. That instance of chrome.exe stays large even if all the tabs of incognito are closed (which results in a tab showing aboutblank). Once the incognito window is closed the first instance drops in size.
I will be interested to read some of the more scientific reports on Chrome.
To test the Pagefile theory you could just carve it for JPG's and see if the Viewed pics are sitting in there… Again..Out of bounds for most over the counter/average housewife snoops..but every day stuff for forensic guys.
If..it is the Pagefile where the images exist… I like the RAM idea better..but I guess future testing will prove that out..
Just as a side step, someone has already released a piece of software to investigate chrome
http//